Members of the hacker group Anonymous targeted the U.S. Department of Justice and the Massachusetts Institute of Technology recently in retaliation for the death of Aaron Swartz, a 26-year-old Internet activist and programmer who took his own life in January after illegally downloading millions of academic documents from the university. Swartz believed the documents should be freely distributed, especially since many were funded with public money. He was prosecuted and faced decades in prison — a punishment that many considered too severe for the infraction.
But Anonymous also targeted the Federal Reserve, an innocent bystander in this tech drama, to protest authorities’ handling of the Swartz case. According to Wharton professor of legal studies and business ethics Andrea Matwyshyn, the Fed hacking is significant and has broad implications for information security. Knowledge at Wharton Today spoke with her about the hacking, information security and how businesses should respond after a data breach.
Knowledge at Wharton Today: Government websites have been hacked before. What made this case stand out to you?
Andrea Matwyshyn: Part of what makes this instance of the Federal Reserve being compromised by Anonymous — or at least a vendor to the Federal Reserve being compromised — significant in my mind is both the high profile of the target and the signaling function that this type of [breach] serves regarding the importance of information security for the broader business community. The Federal Reserve in this case was basically a secondary target. Although there was no direct connection between the Federal Reserve and the prosecution of Aaron Swartz, because of other dynamics going on in the broader technology community … government [entities] generally became part of the target group for attacks or acts of protest [by Anonymous].
Knowledge at Wharton Today: What should companies and governments do to better protect themselves against these types of attacks?
Matwyshyn: The first step in crafting a good information security policy for an organization is to recognize that information security is really a holistic enterprise that requires end-to-end planning at the highest levels of the organization. From the moment data is collected and stored in a database to the handling of an incident when something goes awry and information is compromised, the best process is a holistic, thoughtful approach that considers the entire lifecycle of the information.
Knowledge at Wharton Today: What is the cost-benefit analysis of spending on information security by companies and government agencies?
Matwyshyn: The question of the optimal way for companies and agencies to handle their information integrity issues isn’t necessarily closely tied to expenditures. The question really comes down to whether an organization-wide policy exists, from the highest levels of the organization all the way down to the lowest levels, creating a culture of data stewardship and data care. Information security has frequently been relegated to the information systems or IT people, and that cabins it off in one piece of an enterprise instead of creating a culture of data stewardship. That “cabining” creates an atmosphere that’s more likely to result in data loss and data breaches and suboptimal incident response.
There needs to be a tone set from the top about proper data handling and the way that care is exercised throughout the organization with respect to maintaining proprietary and confidential information –- both corporate and consumer information. So, for example, confidentiality agreements should be in place with all members of the organization and not merely with the executives who have the greatest access to research and development. Confidentiality agreements should be put in place all the way down the chain of employees who can access corporate information — even down to the janitorial staff who empty the garbage cans. Information security is only as strong as the weakest link in the chain of information possession.
Knowledge at Wharton Today: How should agencies or companies respond to consumer concerns? What are some best practices that they should follow?
Matwyshyn: Organizations should have a process in place for handling reports [on data security issues] that escalates them smoothly to appropriate decision makers. Organizations should acknowledge and respond to the individual concerned about information security or possible data leakage. The report should be taken seriously in all instances until there’s evidence to the contrary. Sometimes, in lieu of acting cooperatively and funneling these types of reports internally to the correct decision makers who can verify and take action, organizations unfortunately adopt an adversarial posture toward the security researcher or consumer who points out a problem.
Ignoring these external reports or shooting the messenger is a squandered opportunity for improving the integrity of information systems and building commercial trust — both with the public and the information security research community.
The first approach should be a “thank you” and a verification of the veracity of the report rather than a legal threat of retaliatory action.
A second mistake that frequently happens is simply the denial of the existence of problems or the burying of reports. Although the handling of the relationship with the reporting individual may be done in a conciliatory manner, sometimes … fixing the actual problems that gave rise to the initial report does not happen. Similarly, companies or agencies should have external auditors come in and perform information security audits. The auditors will provide useful recommendations for improving the integrity of information security processes. But those recommendations [sometimes] fall by the wayside, and they are never implemented.